Over the past few days there has been what seems to be a low volume spam run of a warning about H5N1 bird flu supposedly breaking out in various places. Example subject lines of the messages include:

• Bird flue case discovered in the USA.
• Deadly H5N1 bird flu virus suspected in a vicinity of London.
• Protect yourself and your family from bird flu!
• The European Commission has also confirmed that the bird flue found in Turkey is the H5N1 type which is lethal for humans.

Example message text can look like:

"The European Commission has also confirmed that the bird flue found in Turkey 
is the H5N1 type which is lethal for humans. The same type of bird flu had killed 
over 60 people in Asia"
FOX News  

"Deadly H5N1 bird flu virus suspected in a vicinity of London. Presence of antigen
and genetic material of H5N1 subtype of bird flue virus in some of the samples"
USA Today

"Bird flue case discovered in the USA. 2,000 turkeys had died of the disease on 
Balikesir farm. All animals on the farm had been slaughtered to prevent the 
disease spreading"
Reuters

Protect yourself and your family from bird flu!
Many of you know our site very well. Our goal is to provide our customers with
rare and high efficiency medicines. We have already helped thousands of people
to get rid of their diseases and improve their health as well as the quality of their
lives.
Right now we cannot leave you to face to face with this impending life-threat. 
We have a high efficiency European medicine   T a m i f l u to offer. 
_Tamiflu_ is a drug with generic name of Oseltamivir. It is a drug belonging to the
family of antivirals. Anti-virus drugs such as Tamiflu are used to treat diseases
that are caused by viruses thus, the name antiviral. 
_Tamiflu_ is indicated for the treatment of viral infections especially flu viruses.
_Tamiflu_ can treat influenza A and influenza B (Bird Flu). 

Don't wait before it's too late. Protect yourself and your family now!
More info on Our site

Digital signature: iaeeiyx

In the spam message the "Our site" is a href to one of a few first stage infection sites (URLs have been altered):

  hxxp://www innomax-staff biz
  hxxp://www orionfinanceinc info
  hxxp://www substance-of-way com

These sites then link to the single second stage infection site (again URL has been altered):

  hxxp://nursing pe kr/999 htm

This second stage infection site attempts to open frames to bbc.com (legitimate) and to the third stage infection site:

  hxxp://apice-snn com/999/

Interestingly enough this domain has been quite extensively in the past to host trojans and to be a drop/logging site for trojans. The domain also bears some resemblance to the domain used in the Prime Minister heart attack trojan spam run as per AusCERT Alert AL-2007.0026 which was:

  hxxp://apicesnn net/

Also note the domain used as one of the first stage infection sites, namely orionfinanceinc info, was used in the recent ECard trojan spam run that used the MPACK malware hosting kit as per AusCERT Alert AL-2007.0080

We would be interested in reports of these messages, particularly if the numbers being seen start to increase. It might be a good idea to look through proxy logs for connections to these domains as well.

Matthew McGlashan